“ The attack against Kasumi cannot practically be used against the GSM”

To succeed, the attack on the block Kasumi (which is a part of A5/3) must have almost complete control inputs and outputs of this block

Last Wednesday, we published an article about an attack allegedly breaking the A5/3 GSM encryption algorithm. Hervé Sibert contacted us to bring some more details: "In order to succeed in attacking Kasumi, which is a building block of A5/3, one needs to have almost full control over the block inputs and outputs". According to him, even though the attack remains valid, a deeper analysis is required to evaluate the impact on the A5/3 algorithm used in 2G, as well as on the other GSM algorithms built upon Kasumi: UEA1 in 3G (UMTS), and GEA3 in GPRS. Hervé Sibert has come to the conclusion that the attack does not apply in practice. "Even better, in the case of A5/3 and GEA3, the assumptions made by the attacker about the keys that are used are precisely never satisfied."

01netPro : Can we say that Kasumi is a synonym for A5/3?Hervé Sibert : No. Kasumi is a building block used in the A5/3 (2G), UEA1 (3G) and GEA3 (GPRS) GSM confidentiality algorithms. (refer to the diagram below).

How is Kasumi used in A5/3, UEA1 and GEA3 ?A session confidentiality key CK is derived pseudo-randomly within the SIM card from the 128 bit subscriber key, Ki, and from a 128 bit value provided by the network. Kasumi is applied to known public data using a key derived from CK in order to generate a pseudo-random seed (step not represented on the diagram). A sequence of masking blocks S ("keystream") is generated iteratively using Kasumi with key CK : each new masking block is generated by encrypting the XOR of the previous masking block with a counter value incremented at each block and with the pseudo-random seed. At last, the masking blocks S are used to mask (using XOR) the data blocks M, such as encoded voice, before radio link transmission.

What is the goal of the attack ?The goal of the attack is to retrieve 4 session keys CK used to generate masking blocks - as once these keys are known, it is possible to generate more masking blocks and unmask eavesdropped data.

How relevant is this attack ?This attack has three main requirements :

1. being able to choose several megabytes of data to be encrypted with Kasumi. This is not possible as the data input to Kasumi are well-defined and out of the control of an attacker

2. obtaining the corresponding millions of masking blocks S; this amounts to know the full plain message blocks M, which is not possible in practice, unless one can get inside the mobile to retrieve them - but then why would we try to break the encryption when we have access to the plain data with a trojan ?

3. that the four session keys CK to be retrieved, used by Kasumi to encrypt the above data, are mathematically linked: they must be deduced from one another by flipping their 33rd and/or their 97th bit. Session keys are pseudo-randomly generated and out of the attacker's control, thus expecting to obtain such keys is of the same complexity of running a brute force attack.

This attack is thus not practical with respect to the way Kasumi is used in GSM. Note that in a A5/3 and GEA3, the detailed specification forces the 33rd and 97th bits of session keys to be equal. Therefore, a set of keys suitable for the attack will never be used.

What is the status of GSM algorithms after this attack ?The A5/2 and A5/1 are broken, and this has been the case for quite many years (much before December news on A5/1). This new attack does not threaten A5/3, UEA1 or GEA3 more than a brute force attack - even more, it has an absolute zero success probability with A5/3 and GEA3. It is worth noting that several encryption algorithms are vulnerable to "related-key attacks" without yielding real-life vulnerabilities

Algorithms with enhanced security are continuously introduced in new standards (4G/LTE) and existing ones (2G, 3G). For instance, the SNOW 3G algorithm - the basis for LTE security- is being introduced in the 3G UMTS standard as UEA2 and it is likely that a 2G version will be specified in the near future. LTE will also allow the use of the well-known AES standard. At last, 2G will soon use 128-bit keys starting with the A5/4 algorithm, instead of the current 64-bit keys. GSM is thus getting ready to counter future, really practical attacks against A5/3, UEA1 and GEA3.

Pseudorandom seed : value generated through an initialization step consisting in applying Kasumi to a known 64-bit block, with a key other than CK

Counter : number of blocks output so far (incermented after each block)

Masking blocks : the 64-bit blocks generated by Kasumi are called masking blocks (or keystream), as they are used to encrypt the data blocks by masking them bitwise. Upon reception of the encrypted blocks, the network, which holds the same key CK, can generate the same masking blocks in order to unmask the data.